To detect constrained delegation, use PowerView:
If the command prints anything, then we have some services or users that are allowed to authenticate elsewhere. If we have enough permissions, we can dump their credentials and use them for lateral movement
Note
The below example assumes that the vulnerable user is a service account that can authenticate against HTTP and WSMAN on THMSERVER1.
With admin privileges on a compromised domain-joined machine, we can dump the delegation-enabled user’s cleartext credentials from LSA secrets (if the option “store passwords with reversible encryption” is enabled).
Look for cur/text
field, or if not present, the NTLM
fields. Then exit out of mimikatz to prevent the privileged token from being used in the following attack.
Using kekeo to get a TGT file using cleartext credentials, then use the obtained service’s TGT to generate a TGS of the admin user (since the svcIIS user has SeImpersonate privilege).
kekeo # tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@
kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc
kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc
Use Mimikatz again to inject the TGS/service tickets into memory:
Use the injected ticket to authenticate for PowerShell remoting through wsman:
If PowerShell fails to create PS session, try closing and reopening it (and reinjecting the tickets).